On behalf of my client Red Alert Labs,
I have been participating in meetings of the Industry IoT Consortium (formerly known as the Industrial Internet Consortium). Since
Red Alert Labs specializes in IoT security regulation, Roland Atoui, the
president of RAL, and I volunteered to present on the state of IoT cyber
regulation in the EU and the US, at meetings of the IIC Security Working Group.
Both of our presentations are available on YouTube.
While there are no current cyber
regulations for IoT devices in the US, Executive Order 14028 last May required
NIST to develop a “device labeling program” for “consumer” IoT devices, which I
discussed. I did my presentation in early December, a couple weeks before NIST
released preliminary guidelines for the labeling program (their final guidelines
are due on February 6, along with their final guidelines for SBOMs and other
items addressed in Section 4(e) of the EO). You can view it here (my presentation runs
for about 20 minutes, which was followed by another 20 minutes of really good
Q&A).
Since NIST hadn’t given any clue
to what they were considering for the program at the time, I was optimistic that
it would be what I considered a good program – risk-based and mostly focused on
educating the consumer about steps they could take in order to mitigate the
risks, rather than giving an up-or-down judgment on whether the device was “secure”
or not. My presentation reflects that opinion.
However, when NIST came out with
their preliminary guidelines for the IoT device labeling program, I was quite disappointed.
They wanted to have a risk-based program, but they also wanted to have an up-or-down
label. You can’t have it both ways. Fortunately, those were just preliminary
guidelines, and I’m optimistic that what NIST comes out with on the 6th
will be better.
Roland presented early in
January, along with Isaac Dangana of Red Alert. They discussed the European Cybersecurity
Act, which came into effect in 2019. This is meant to be the governance
framework for all cyber regulation in Europe, although there are a few regulatory
schemes in countries like Germany now (as well as in particular industries like
5G); these will all be replaced as equivalent European schemes come into place.
What I find really interesting about
the Act is that it doesn’t in itself regulate anything; rather it provides a
governance framework for certification schemes that address particular areas of
cybersecurity. The schemes are developed by ENISA, the EU Agency for Cyber
Security. Two schemes have already been developed: for the Common Criteria and
for the cloud. Red Alert was engaged by ENISA to develop guidelines for both of
these schemes. Roland expects that ENISA will start work – with industry, of
course – on an IoT scheme this year.
To be honest, I never realized there
was such a difference between cyber regulation in the US and the EU. I’m not
sure how I’d characterize that difference at this point; and since the
situation is changing rapidly on both sides of the ocean, I think I’ll wait a while
before I form an opinion about who has the better ideas for cyber regulation.
Although maybe I’ll decide they both have their strong points and weak points, which
is most likely the case.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they necessarily shared by CISA’s Software Component Transparency
Initiative, for which I volunteer as co-leader of the Energy
SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment